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Abstract 

Halpern,  Moses  and  Tuttle  presented  a  definition  of  interactive  proofs  using  a  notion  they  called 
practical  knowledge ,  but  left  open  the  question  of  finding  an  epistemic  formula  that  completely 
characterizes  zero  knowledge;  that  is,  a  formula  that  holds  iff  a  proof  is  zero  knowledge.  We  present 
such  a  formula,  and  show  that  it  does  characterize  zero  knowledge.  Moreover,  we  show  that  variants 
of  the  formula  characterize  variants  of  zero  knowledge  such  as  concurrent  zero  knowledge  [Dwork, 
Naor,  and  Sahai  1998]  and  proofs  of  knowledge  [Feige,  Fiat,  and  Shamir  1987;  Tompa  and  Woll 
1987], 


1  Introduction 


The  notions  of  interactive  proof  and  zero  knowledge  were  introduced  by  Goldwasser,  Micali,  and  Rack- 
off  [1989],  and  have  been  the  subject  of  extensive  research  ever  since.  Informally,  an  interactive  proof  is 
a  two-party  conversation  in  which  a  “prover”  tries  to  convince  a  polynomial-time  “verifier”  of  the  truth 
of  a  fact  p  (where  p  typically  has  the  form  x  G  L,  where  x  is  a  string  and  L  is  a  language  or  set  of 
strings)  through  a  sequence  interactions.  An  interactive  proof  is  said  to  be  zero  knowledge  if,  whenever 
p  holds,  the  verifier  has  an  algorithm  to  generate  on  its  own  the  conversations  it  could  have  had  with  the 
prover  during  an  interactive  proof  of  p  (according  to  the  correct  distribution  of  possible  conversations). 
Intuitively,  the  verifier  does  not  learn  anything  from  talking  to  the  prover  (other  than  p)  that  it  could 
not  have  learned  on  its  own  by  generating  the  conversations  itself.  Consequently,  the  only  knowledge 
gained  by  the  verifier  during  an  interactive  proof  is  that  p  is  true.  The  notion  of  “knowledge”  used 
in  zero  knowledge  is  based  on  having  an  algorithm  to  generate  the  transcript  of  possible  conversations 
with  the  prover;  the  zero-knowledge  condition  places  a  restriction  on  what  the  verifier  is  able  to  generate 
after  interacting  with  the  prover  (in  terms  of  what  he  could  generate  before).  The  relationship  between 
this  ability  to  generate  and  logic-based  notions  of  knowledge  is  not  immediately  obvious.  Having  a 
logic-based  characterization  of  zero  knowledge  would  enhance  our  understanding  and  perhaps  allow 
us  to  apply  model-checking  tools  to  test  whether  proofs  arc  in  fact  zero  knowledge.  However,  getting 
such  a  characterization  is  not  easy.  Since  both  probability  and  the  computational  power  of  the  prover 
and  verifier  play  crucial  roles  in  the  definition  of  zero  knowledge,  it  is  clear  that  the  standard  notion  of 
knowledge  (truth  in  all  possible  worlds)  will  not  suffice. 

Halpern,  Moses  and  Tuttle  [1988]  (HMT  from  now  on)  were  the  first  to  study  the  relationship 
between  knowledge  and  being  able  to  generate.  They  presented  a  definition  of  interactive  proofs  using 
a  notion  they  called  practical  knowledge.  They  proved  that,  with  high  probability,  the  verifier  in  a  zero- 
knowledge  proof  of  x  G  L  practically  knows  a  fact  w  at  the  end  of  the  proof  iff  it  practically  knows 
x  €  L  =>•  at  the  beginning  of  the  proof;  they  call  this  property  knowledge  security.  Intuitively,  this 
captures  the  idea  that  zero  knowledge  proofs  do  not  “leak”  knowledge  of  facts  other  than  those  that 
follow  from  x  €  L.  They  also  define  a  notion  of  knowing  how  to  generate  a  y  satisfying  a  relation 
R(x,  y),  and  prove  that,  with  high  probability,  if  the  verifier  in  a  zero-knowledge  proof  of  a;  G  L  knows 
how  to  generate  a  y  satisfying  R{x,  y)  at  the  end  of  the  proof,  then  he  knows  how  to  do  so  at  the 
beginning  as  well;  they  called  this  property  generation  security.  This  captures  the  intuition  that  at  the 
end  of  a  zero-knowledge  proof,  the  verifier  cannot  do  anything  that  it  could  not  do  at  the  beginning. 

HMT  left  open  the  question  of  finding  an  epistemic  formula  that  completely  characterizes  zero 
knowledge;  that  is,  a  formula  that  holds  iff  a  proof  is  zero  knowledge  [Goldwasser,  Micali,  and  Rackoff 
1989].  In  this  paper  we  present  a  strengthening  of  knowledge  security  and  generation  security  that  we 
call  relation  hiding ,  which  we  show  does  characterize  zero  knowledge.  Moreover,  we  show  that  variants 
of  relation  hiding  characterize  valiants  of  zero  knowledge  such  as  concurrent  zero  knowledge  [Dwork, 
Naor,  and  Sahai  1998]  and  proofs  of  knowledge  [Feige,  Fiat,  and  Shamir  1987;  Tompa  and  Woll  1987]. 


2  Background 

In  this  section,  we  review  the  relevant  background  both  in  cryptography  (interactive  proof  systems  and 
zero  knowledge)  and  epistemic  logic  (specifically,  modeling  knowledge  and  probability  using  the  runs 
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and  systems  framework  [Fagin,  Halpern,  Moses,  and  Vardi  1995;  Halpern  and  Tuttle  1993]).  In  addition, 
we  introduce  some  of  the  notation  that  will  be  needed  for  our  new  results. 

2.1  Interactive  Proof  Systems 

An  interactive  protocol  is  an  ordered  pair  ( P ,  V)  of  probabilistic  Turing  machines.  P  and  V  share  a 
read-only  input  tape;  each  has  a  private  one-way,  read-only  random  tape;  each  has  a  private  work  tape; 
and  P  and  V  share  a  pair  of  one-way  communication  tapes,  one  from  P  to  V  being  write-only  for 
P  and  read-only  for  V,  and  the  other  from  V  to  P  being  write-only  for  V  and  read-only  for  P.  An 
execution  of  the  protocol  (P,  V )  is  defined  as  follows.  At  the  beginning,  the  input  tape  is  initialized  with 
some  common  input  x,  each  random  tape  is  initialized  with  an  infinite  sequence  of  random  bits,  each 
work  tape  may  or  may  not  be  initialized  with  an  initial  string,  and  the  communication  tapes  are  initially 
blank.  The  execution  then  proceeds  in  a  sequence  of  rounds.  During  any  given  round,  V  first  performs 
some  internal  computation  making  use  of  its  work  tape  and  other  readable  tapes,  and  then  sends  a 
message  to  P  by  writing  on  its  write-only  communication  tape;  P  then  performs  a  similar  computation. 
Either  P  or  V  may  halt  the  interaction  at  any  time  by  entering  a  halt  state.  V  accepts  or  rejects  the 
interaction  by  entering  an  accepting  or  rejecting  halt  state,  respectively,  in  which  case  we  refer  to  the 
resulting  execution  as  either  an  accepting  or  rejecting  execution.  The  running  time  of  P  and  V  during 
an  execution  of  (P,  V)  is  the  number  of  steps  taken  by  P  and  V  respectively,  during  the  execution.  We 
assume  that  V  is  a  probabilistic  Turing  machine  running  in  time  polynomial  in  |x|,  and  hence  that  it 
can  perform  only  probabilistic,  polynomial-time  computations  during  each  round.  For  now  we  make  no 
assumptions  about  the  running  time  of  P. 

Denote  by  (P(s)  V(t))(x)  the  random  variable  that  takes  two  random  strings  pp,pv  €  {0, 1}* 

as  input  and  outputs  an  execution  of  (P,  V)  in  which  the  prover’s  work  tape  is  initialized  with  s,  the 
verifier’s  work  tape  is  initialized  with  t,  the  input  tape  is  initialized  with  x,  and  pv,  pv  arc  the  contents  of 
the  prover  and  verifier’s  respective  random  tapes.  We  can  think  of  s  as  the  prover’s  auxiliary  information, 
t  as  the  verifier’s  initial  information,  and  x  as  the  common  input.  Let  Accept sv[(P(s)  <-»  V(t))ix)]  be 
the  random  variable  that  takes  two  infinite  random  strings  pp.  pv  6  {0, 1}°°  as  input,  and  outputs  true 
iff  the  verifier  enters  an  accept  state  at  the  end  of  the  execution  of  the  protocol  (P,  V)  where  pp  and  pv 
arc  the  contents  of  the  prover  and  verifier’s  respective  random  tapes,  and  false  otherwise. 

Informally,  an  interactive  protocol  (P,  V)  is  an  interactive  proof  system  for  a  language  L  if,  when 
run  on  input  x  (and  possibly  some  auxiliary  inputs  s  and  t),  after  the  protocol,  if  the  prover  and  verifier 
are  both  “good” — that  is,  the  prover  uses  P  and  the  verifier  uses  V — the  verifier  is  almost  always 
convinced  that  x  6  L.  Moreover,  no  matter  what  protocol  the  prover  uses,  the  verifier  will  hardly  ever 
be  convinced  that  x  6  L  if  it  is  not.  The  “almost  always”  and  “hardly  ever”  are  formalized  in  terms  of 
negligible  functions.  A  function  e  :  N  — >  [0, 1]  is  negligible  if  for  every  positive  integer  k  there  exists  an 
no  G  N  such  that  for  all  n  >  no,  e(n)  <  \\  that  is,  e  is  eventually  smaller  than  any  inverse  polynomial. 
Finally,  let  Pr uk  denote  the  uniform  probability  over  strings  in  ({0,  l}°°)fc.  For  ease  of  notation,  we 
typically  omit  the  subscript  k  when  it  does  not  play  a  significant  role  or  is  clear  from  context,  writing 
just  Plf/. 

Definition  1  An  interactive  protocol  (P,  V)  is  an  interactive  proof  system  for  language  L  if  the  follow¬ 
ing  conditions  are  satisfied: 

•  Completeness:  There  exists  a  negligible  function  e  such  that  for  sufficiently  large  |x|  and  for  every 


2 


s  and  t,  if  x  E  L  then 

Piu[Acceptsv[(P(s)  V(i))(x)]]  >  1  —  e(|x|). 

•  Soundness:  There  exists  a  negligible  function  5  such  that  for  sufficiently  large  |x|,  for  every  pro¬ 
tocol  P*  for  the  provet;  s,  and  t,  if  x  f  I,  then 
Pr u[Acceptsv[{P* (s)  F(i))(x)]]  <  e>(|x|). 

The  completeness  condition  is  a  guarantee  to  both  the  good  prover  and  the  good  verifier  that  if 
x  E  L,  then  with  overwhelming  probability  the  good  prover  will  be  able  to  convince  the  good  verifier 
that  x  E  L.  The  soundness  condition  is  a  guarantee  to  the  good  verifier  that  if  x  0  L,  then  the  probability 
that  an  arbitrary  (possibly  malicious)  prover  is  able  to  convince  the  good  verifier  that  x  E  Lis  very  low. 
The  probability  here  is  taken  over  the  runs  of  the  protocol  where  the  the  verifier’s  initial  information  is 
s,  the  prover’s  initial  information  is  t,  and  x  is  the  common  input.  The  probability  is  generated  by  the 
random  coin  flips  of  the  prover  and  verifier  (which  in  turn  determine  what  happens  in  the  run);  we  do 
not  assume  a  probability  on  s,  t,  or  x. 

2.2  Zero  Knowledge 

To  make  the  notion  of  zero  precise,  we  need  a  few  preliminary  definitions.  We  consider  zero-knowledge 
proofs  of  languages  L  that  have  a  witness  relation  Rl,  where  Rl  is  a  set  of  pairs  (x,  y)  such  that  x  E  L 
iff  there  exists  a  y  such  that  (x,  y)  E  Rl',  let  Rl(x)  =  {y  :  (x,  y)  E  Rl}-  Note  that  all  languages  in  the 
complexity  class  NT  have  this  property.  Define  Viewv[(P(s )  V(i))(x)]  to  be  the  random  variable 

that,  on  input  pp.  pv,  describes  the  verifier’s  view  in  the  execution  (P(s)  <-►  V(t))(x){p\ .  pf),  that  is, 
the  verifier’s  initial  auxiliary  input  t,  the  sequence  of  messages  received  and  read  thus  far  by  the  verifier, 
and  the  sequence  of  coin  flips  used  thus  far. 

The  intuition  behind  zero  knowledge  is  that  the  reason  the  verifier  learns  nothing  from  an  interaction 
is  that  he  can  simulate  it.  The  simulation  is  carried  out  by  a  probabilistic  Turing  machine.  It  should  be 
possible  to  carry  out  the  simulation  no  matter  what  algorithm  the  verifier  uses  (since  we  hope  to  show 
that,  no  matter  what  algorithm  the  verifier  uses,  he  gains  no  information  beyond  the  fact  that  x  E  L),  so 
we  have  a  simulator  Sy*  for  every  algorithm  V*  of  the  verifier.  The  simulator  Sy*  actually  generates 
verifier  views  of  the  conversations.  With  perfect  zero  knowledge ,  the  distribution  of  the  views  created  by 
Sy *  given  just  inputs  x  and  t  (which  is  all  the  verifier  sees)  is  identical  to  the  actual  distribution  of  the 
verifier’s  views  generated  by  (P(s)  <->  V(t))(x).  With  statistical  zero  knowledge,  the  two  distributions 
are  just  required  to  be  close.  Finally,  with  computational  zero  knowledge,  no  PPT  (probabilistic  polyno¬ 
mial  time)  algorithm  can  distinguish  the  distributions.  We  capture  the  notion  of  “distinguishing”  here  by 
using  a  PPT  distinguisher  D.  The  distinguisher  gets  as  input  verifier  views  generated  by  Sy*  and  by  the 
actual  conversation,  and  must  output  either  1  or  0,  depending  on  whether  it  believes  the  view  came  from 
Sy-  or  the  actual  conversation.  Notice  that  the  inputs  to  the  simulator  (x  and  t)  arc  both  accessible  by 
the  verifier,  so  the  verifier  could,  given  his  initial  state  and  the  common  input,  run  the  simulator  instead 
of  interacting  with  the  prover.  The  distinguisher  tries  to  identify  whether  the  verifier  talked  to  the  prover 
or  ran  the  simulator  on  his  own.  If  no  distinguisher  is  able  to  tell  the  difference,  then  the  verifier  might 
as  well  not  have  interacted  with  the  prover  but  run  the  simulator  instead;  we  say  that  the  interaction  was 
“zero-knowledge”  in  this  case  because  the  verifier  saw  nothing  during  the  interaction  that  he  could  not 
simulate. 
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We  allow  the  distinguisher  to  have  additional  information  in  the  form  of  auxiliary  inputs  (in  addition 
to  the  view  it  is  trying  to  distinguish).  This  allows  the  distinguisher  to  have  information  that  the  verifier 
never  sees,  such  as  information  about  the  prover’s  state,  since  such  information  could  be  helpful  in 
identifying  views  from  the  interaction  and  telling  them  apart  from  those  produced  by  the  verifier  alone. 
Allowing  the  distinguisher  to  get  such  auxiliary  inputs  strengthens  the  zero  knowledge  requirement  in 
that,  no  matter  what  additional  information  the  distinguisher  might  have,  he  cannot  tell  apart  views  of 
the  interaction  from  simulated  ones. 

Definition  2  An  interactive  proof  system  ( P ,  V)  for  L  is  said  to  be  computational  zero  knowledge  if 
for  every  PPT  verifier  protocol  V*,  there  is  a  probabilistic  Turing  machine  Sy+  that  takes  as  input  the 
common  input  x  and  verifier’s  auxiliary  information  t,  runs  in  expected  time  polynomial  in  \x\,  and 
outputs  a  view  for  the  verifier  such  that  for  every  PPT  (probabilistic  polynomial  time )  Turing  machine 
D  that  takes  as  input  a  view  of  the  verifier  and  an  auxiliary  input  z  G  {0, 1}*,  there  exists  a  negligible 
function  e  such  that  for  all  x  G  L,  s  G  R,L(x),t  G  {0, 1  }*,z  G  {0, 1}*, 

|Pr  u[D(Sv*(x,t),z)  =  1]- 

-Pr u[D(yiewv[{P(s)  V*(t))(x)],  z)  =  1] |  <  e(|x|). 

2.3  The  Runs  and  Systems  Framework 

Our  analysis  of  interactive  proof  systems  is  carried  out  in  runs  and  systems  framework  [Fagin,  Halpern, 
Moses,  and  Vardi  1995].  The  systems  we  consider  consist  of  a  (possibly  infinite)  set  of  communicating 
agents.  Agents  share  a  global  clock  that  stalls  at  time  0  and  proceeds  in  discrete  increments  of  one. 
Computation  in  the  system  proceeds  in  rounds,  round  rn  lasting  from  time  m  —  1  to  time  m.  During  a 
round,  each  agent  first  performs  some  (possibly  probabilistic)  local  computation,  then  sends  messages 
to  other  agents,  and  then  receives  all  messages  sent  to  him  during  that  round.  Each  agents  stalls  in 
some  initial  local  state ;  its  local  state  then  changes  over  time.  The  agent’s  local  state  at  time  m  >  0 
consists  of  the  time  on  the  global  clock,  the  agent’s  initial  information  (if  any),  the  history  of  messages 
the  agent  has  received  from  other  agents  and  read,  and  the  history  of  coin  flips  used.  A  global  state 
is  a  tuple  of  local  states,  one  for  each  agent  and  one  for  the  nature,  which  keeps  track  of  information 
about  the  system  not  known  to  any  of  the  agents.  We  think  of  each  agent  as  following  a  protocol  that 
specifies  what  the  agent  should  do  in  every  local  state.  An  infinite  execution  of  such  a  protocol  (an 
infinite  sequence  of  global  states)  is  called  a  run.  We  define  a  system  to  be  a  set  of  such  runs,  often  the 
set  of  all  possible  runs  of  a  particular  protocol.  Given  a  run  r  and  a  time  rn,  we  refer  to  (r,  m)  as  a 
point ,  and  we  say  that  (r,  m )  is  a  point  of  the  system  TZ  if  r  G  1Z.  We  denote  the  global  state  at  the  point 
(r,  m)  (that  is,  the  global  state  at  time  m  in  r)  by  r(m),  and  the  local  state  of  agent  a  in  r(m)  by  ra(m). 
Let  K.a(r,  rn)  =  {(?’',  m!)  :  ra(m )  =  r'a(m')};  )Ca(r,  m)  can  be  thought  of  as  the  set  of  points  that  a 
considers  possible  at  (r,  rn) ,  because  he  has  the  same  local  state  at  all  of  them.  Since  the  agent’s  local 
state  at  time  m  consists  of  the  time  on  the  global  clock,  any  point  that  a  considers  possible  at  (r,  rn)  is 
also  at  time  rn,  so  JCa(r,  rn)  =  {(r/,  m)  :  ra(m)  =  r'a{m)}. 

In  interactive  proof  systems,  we  assume  that  there  arc  two  agents — a  prover  p  and  a  verifier  v.  Both 
agents  have  a  common  input  (typically  a  string  x  G  {0, 1}*);  we  denote  by  rc(0)  the  common  input  in 
run  r.  We  also  assume  that  the  prover  and  verifier  agents  have  initial  local  states  rp( 0)  =  s  G  {0, 1}*  and 
r(;(0)  =  t  G  {0, 1}*,  respectively,  both  of  which  contain  rc(0).  Additionally,  we  assume  that  nature’s 
state  at  all  times  m  includes  a  tuple  (prpl  p[n  pr ,  P*,  V*),  where  p'p  and  prv  arc  the  prover’s  and  verifier’s 
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random  tapes,  respectively,  in  run  r,  pr  is  an  additional  tape  whose  role  is  explained  in  Section  3,  and  P* 
and  V*  arc  the  protocols  of  the  prover  and  verifier.  An  interactive  protocol  ( P.  V)  generates  a  system. 
The  runs  of  the  system  correspond  to  possible  executions  of  (P.  V ).  Following  HMT,  we  denote  by 
P  x  V  the  system  consisting  of  all  possible  executions  of  ( P ,  V )  and  by  P  x  Vpp  the  system  consisting 
of  the  union  of  the  systems  PxV*  for  all  probabilistic,  polynomial-time  (PPT)  protocols  V*] .  Vpp  x  V 
is  defined  analogously.  More  generally,  we  let  V  x  V  denote  the  system  consisting  of  the  union  of  the 
systems  PxV  for  all  prover  protocols  P  «E  V  and  verifier  protocols  V  €  V.  Since  we  need  to  reason 
about  probability,  we  augment  a  system  to  get  a  probabilistic  system ,  by  adding  a  function  VR.a  for 
each  agent  that  associates  with  each  point  (r,  m)  a  probability  PR.,,  (r,  m)  on  points  for  agent  a,  whose 
support  is  contained  in  ]Ca(r,m).  In  many  cases  of  interest,  we  can  think  of  P'Ra(r,  rn)  as  arising 
from  conditioning  an  initial  probability  on  runs  on  the  agent’s  current  local  state,  to  give  a  probability 
on  points.  There  are  subtleties  to  doing  this  though.  We  often  do  not  have  a  probability  on  the  set  of 
all  executions  of  a  protocol.  For  example,  as  we  observed  in  the  case  of  interactive  proofs,  we  do  not 
want  to  assume  a  probability  on  the  auxiliary  inputs  s  and  t  or  the  common  input  x.  The  only  source  of 
probability  is  the  random  coin  flips. 

Halpern  and  Tuttle  [1993]  suggested  a  formalization  of  this  intuition.  Suppose  that  we  partition 
the  runs  of  1Z  into  cells,  with  a  probability  on  each  cell.  For  example,  in  the  case  of  interactive  proof 
systems,  we  could  partition  the  runs  into  sets  1Zsj,x,  according  to  the  inputs  s  and  t.  The  random  coin 
flips  of  the  prover  and  verifier  protocols  then  give  us  a  well-defined  probability  on  the  runs  in  TZs,t- 
We  can  then  define  VR,a(r,m)  by  conditioning  in  the  following  sense:  Given  a  set  S  of  points,  let 
'R(S)  =  {?’  :  (r,  rn)  6  S  for  some  m}.  Let  7 Z(r)  be  the  cell  of  the  partition  of  R,  that  includes  r,  and 
let  Pr-^(r)  be  the  probability  on  the  cell.  If  A  is  an  arbitrary  set  of  points,  define  PR,„(r,  rn)(A)  = 
PrK(r)(W(A  n  Ka(r,  m))  \  RL(JCa(r,  rn) )  n  R{r)).  (We  assume  for  simplicity  that  all  the  relevant  sets 
are  measurable  and  that  Pr-ji^(TZ(JCa(r,  rn))  n  Rir) )  /  0.)  Note  that  for  synchronous  systems  (such 
as  those  we  deal  with),  since  /Ca(r,  rn)  is  a  set  of  time  m  points,  the  support  of  VI Za(r,  rn)  is  a  subset 
of  time  m  points  (i.e.,  'PR.,, (r.  rn)(A)  =  0  unless  A  includes  some  time  m  points,  since  otherwise 
A  FI  Ka  (r,  rn)  =  0).  Intuitively,  we  associate  a  set  of  points  with  the  set  of  runs  going  through  it, 
and  then  define  the  probability  VlZa(r,  m ),  which  is  a’s  distribution  on  points  at  the  point  (r,  m),  by 
conditioning  the  probability  on  runs  defined  on  r’s  cell  on  the  runs  going  through  the  set  /Ca(r,  m)  (i.e. 
the  runs  a  considers  possible  given  his  information  at  point  (r,  m)).  A  probabilistic  system  is  standard 
if  it  is  generated  from  probabilities  on  runs  in  this  way. 

In  systems  where  the  runs  arc  generated  by  randomized  algorithms,  the  cells  arc  typically  taken  so 
as  to  factor  out  all  the  “nonprobabilistic”  or  “nondeterministic”  choices.  In  particular,  we  do  this  for  the 
system  PxV,  so  that  we  partition  the  runs  into  cells  1Zs>t,  according  to  the  inputs  s  and  t,  as  suggested 
above,  and  take  the  probability  on  the  runs  in  the  cell  to  be  determined  solely  by  the  random  inputs  of  the 
prover  and  verifier  pv  and  pp  and  the  random  string  p  contained  in  nature’s  state.  Thus,  we  can  identify 
the  probability  on  R.sj  with  the  uniform  distribution  Prp, .  The  probabilities  on  the  system  V  x  V  are 
defined  by  the  probabilities  on  each  individual  system  PxV  for  P  £  V  and  V  <G  V;  that  is,  we  now 
partition  the  runs  of  the  system  into  cells  according  to  the  prover  and  verifier  protocols  P,  V  and  the 
inputs  s  and  t,  so  there  now  is  a  separate  cell  for  each  combination  of  P,  V,  s,  and  t,  and  the  probability 
Pr-pxvp)  can  be  identified  with  the  uniform  distribution  Prp,. 

'Note  that  we  distinguish  p  and  v,  the  “prover”  and  the  “verifier”  agents  respectively,  from  the  protocols  that  they  are 
running.  In  the  system  PxV,  the  verifier  is  always  running  the  same  protocol  V  in  all  runs.  In  the  system  V  x  Vpp,  the 
verifier  may  be  running  different  protocols  in  different  runs. 
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2.4  Reasoning  About  Systems 

To  reason  about  systems,  we  assume  that  we  have  a  collection  of  primitive  facts  such  as  “the  value  of 
the  variable  x  is  a  prime  number”  (where  x  is  the  common  input  in  the  run),  or  “x  <5  L”,  where  L 
is  some  set  of  strings.  Each  primitive  fact  p  is  identified  with  a  set  n(p)  of  points,  interpreted  as  the 
set  of  points  at  which  p  holds.  A  point  (r,  m)  in  a  system  7 Z  satisfies  p,  denoted  (TZ,  r,  m)  |=  p,  if 
(r,  m)  G  vr(<p).  We  extend  this  collection  of  primitive  facts  to  a  logical  language  by  closing  under  the 
usual  boolean  connectives,  the  linear  temporal  logic  operator  0.  operators  at  time  m*  for  each  time 
rn* .  the  epistemic  operators  Ka,  one  for  each  agent  a,  and  probability  operators  of  the  form  for  pr\ 
each  agent  a  and  real  number  A.  The  definitions  of  all  these  operators  is  standard: 

•  (TZ,  r,  m)  \=  ()p  iff  (7 Z,  r,  m!)  |=  ip  for  some  m'  >  m. 

•  (7 Z,  r,  m)  \=  Kap  iff  (7 Z,  r',  m!)  j=  p  for  all  (r' ,  rn’)  G  /Ca(r,  m).  (Intuitively,  agent  a  knows  <p 
if  p  is  true  at  all  the  worlds  that  agent  a  considers  possible.) 

•  (7 Z,  r ,  m)  \=  at  time  m*  p  iff  ( TZ ,  r,  m*)  |=  p. 

•  ( TZ,r,m )  |=  pr^(p)  iff  VTZa(r,  m) ( [<p] )  >  A,  where  [<p]  =  {( r',m .)  :  (TZ,r',m)  |=  p}. 

We  write  TZ  |=  p  if  (TZ,  r,  rn)  |=  p  for  all  points  (r,  rn)  in  TZ. 

3  Characterizing  Zero  Knowledge  Using  Relation  Hiding 

We  identify  “knowing  something  about  the  initial  state  of  the  system”  with  “being  able  to  generate  a 
witness  for  some  relation  on  the  initial  state”. 

For  example,  if  the  language  L  from  which  the  common  input  x  is  taken  is  the  set  of  all  Hamiltonian 
graphs,  then  we  can  define  a  relation  R  such  that  R(s.  t,  x,  y)  holds  iff  y  is  a  Hamiltonian  cycle  in  graph 
x.  (Here  the  relation  is  independent  of  s  and  t.)  Recall  that  a  Hamiltonian  cycle  in  a  graph  is  a  path  that 
goes  through  every  vertex  exactly  once,  and  starts  and  ends  at  the  same  vertex;  a  Hamiltonian  graph  is  a 
graph  with  a  Hamiltonian  cycle.  We  can  think  of  a  Hamiltonian  cycle  y  as  a  witness  to  a  graph  x  being 
Hamiltonian.  We  allow  the  relation  R  to  depend  on  s  and  t  in  addition  to  x  because  this  allows  us  to 
describe  the  possibility  of  the  verifier  learning  (via  the  interaction)  facts  about  the  prover’s  initial  state 
(which  he  does  not  have  access  to).  This  allows  us  to  account  for  provers  with  auxiliary  information  on 
their  work  tapes.  For  example,  R(s,  t.  x,  y)  could  be  defined  to  hold  iff  the  prover  has  Hamiltonian  path 
y  on  its  work  tape  (in  its  initial  state  s). 

We  are  therefore  interested  in  relations  II  on  S  x  T  x  L  x  {0,1}*,  where  S  is  the  set  of  prover 
initial  states  and  T  is  the  set  of  verifier  initial  states.  We  want  a  formal  way  to  capture  verifier’s  ability  to 
generate  such  witnesses  for  R.  We  do  this  by  using  an  algorithm  M  that  takes  as  input  the  verifier’s  local 
state  and  the  common  input  x,  and  is  supposed  to  return  a  y  such  that  R(s.  t,  x,  y)  holds.  The  algorithm 
M  essentially  “decodes”  the  local  state  into  a  potential  witness  for  It.  More  generally,  we  want  to 
allow  the  decoding  procedure  M  to  depend  on  the  protocol  V*  of  the  verifier.  We  do  this  by  using  a 
function  M  :  TA4  TTA\  intuitively  M  ( V* )  is  the  decoding  procedure  for  the  verifier  protocol  V*. 
To  reason  about  this  in  the  language,  we  add  a  primitive  proposition  to  the  language,  and  define 
(TZ,  r,  m)  |=  M„.ft  if  R(rp(0),  rv(0),  rc(0),  M(I/*)(rc(0),  rv(m))(pr))  holds,  where  V*  is  the  verifier 
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protocol  in  run  r  and  pr  is  the  extra  random  tape  that  is  paid  of  nature’s  local  state  in  run  r;  this  makes 
the  output  of  M(V*)  in  run  r  deterministic  (although  M  is  a  probabilistic  TM).  For  any  constant  A, 
let  G^f'rn  XR,  read  “the  verifier  can  generate  a  y  satisfying  R  using  M  with  probability  A  at  time  m*” 
be  an  abbreviation  of  pr^( at  time  m*  We  can  generalize  this  to  a  formula  G™'m  'X R  which 

considers  functions  A  whose  meaning  may  depend  on  components  of  the  state,  such  as  the  verifier’s 
protocol  and  the  length  of  the  common  input;  we  leave  the  straightforward  semantic  details  to  the  reader. 
Gp1'"1  'XR,  read  “the  prover  can  generate  a  y  satisfying  R  using  M  with  probability  A  at  time  in*”,  is 
defined  analogously.  Finally,  we  add  the  primitive  proposition  s  £  RL(x)  to  the  language,  and  define 
f R ,  r,  m)  |=  s  £  Rl(x)  if  rc(0)  £  L  and  rp(0)  £  Rl(vc( 0)). 


We  now  show  how  to  use  the  formula  G ,XR.  to  capture  the  intuitions  underlying  zero-knowledge 
proofs.  Intuitively,  we  want  to  say  that  if  the  verifier  can  generate  a  y  satisfying  a  relation  R  after  the 
interaction,  he  could  also  do  so  before  the  interaction  (i.e.,  without  interacting  with  the  prover  at  all). 
However,  this  is  not  quite  true;  a  verifier  can  learn  a  y  satisfying  R  during  the  course  of  an  interaction, 
but  only  in  a  negligibly  small  fraction  of  the  possible  conversations.  We  want  to  capture  the  fact  that 
the  probability  of  the  verifier  being  able  to  generate  the  witness  correctly  at  a  final  point  in  the  system  is 
only  negligibly  different  from  the  probability  he  can  do  so  at  the  corresponding  initial  point  (in  a  perfect 
zero  knowledge  system,  the  probabilities  are  exactly  the  same).  Note  that  when  the  Turing  machine  M 
used  by  the  verifier  in  a  particular  run  r  generates  a  y,  the  verifier  may  not  know  whether  y  in  fact  is 
a  witness;  that  is,  the  verifier  may  not  know  whether  R(s,  t,  x,  y)  in  fact  holds.  Nevertheless,  we  want 
it  to  be  the  case  that  if  the  verifier  can  use  some  algorithm  M  that  generates  a  witness  y  with  a  certain 
probability  after  interacting  with  the  prover,  then  the  verifier  can  generate  a  witness  y  with  the  same 
probability  without  the  interaction.  This  lets  us  account  for  leaks  in  knowledge  from  the  interaction  that 
the  verifier  may  not  be  aware  of.  For  example,  a  computationally  bounded  verifier  may  have  a  Hamilto¬ 
nian  cycle  y  in  graph  x  as  paid  of  his  local  state,  but  no  way  of  knowing  that  y  is  in  fact  a  Hamiltonian 
cycle.  We  want  to  say  that  the  verifier  knows  how  to  generate  a  Hamiltonian  cycle  if  this  is  the  case 
(even  if  he  does  not  know  that  he  can  do  so),  since  there  is  a  way  for  the  verifier  to  extract  a  Hamiltonian 
cycle  from  his  local  state. 


We  now  define  relation  hiding,  which  says  that  if  the  verifier  initially  knows  that  he  can,  at  some 
future  time  during  the  interaction  with  the  prover,  generate  a  witness  for  some  relation  R  on  the  initial 
state  with  some  probability,  then  he  knows  that  he  can  generate  a  witness  for  R  at  time  0,  that  is, 
before  the  interaction,  with  almost  the  same  probability.  We  allow  the  generating  machines  used  by 
the  verifier  (both  after  and  before  the  interaction)  to  run  in  expected  polynomial  time  in  the  common 
input  and  verifier  view.  Allowing  them  to  only  run  in  (strict)  polynomial  time,  would  certainly  also 
be  a  reasonable  choice,  but  this  would  result  in  a  notion  that  is  stronger  than  the  traditional  notion  of 
zero-knowledge.2  Let  £WT  be  the  set  of  all  expected  probabilistic  polynomial  time  algorithms  (i.e., 
algorithms  for  which  there  exists  a  polynomial  p  such  that  the  expected  running  time  on  input  x  is  at 
mostp(|x|)). 


Definition  3  The  system  1Z  is  relation  hiding  for  L  if,  for  every  polynomial-time  relation  R  on  S  x 
T  x  L  x  {0,1}*  and  function  M  :  TM  — ►  < SWT,  there  exist  functions  M'  :  TM  — ■>  £WT, 
e  :  T  X  N  — >  [0, 1]  such  that  for  every  Turing  machine  V*,  e(V* ,  ■)  is  a  negligible  function,  and  for 
every  0  <  A  <  1  and  time  m*, 

R  |=  at  time  0  (s  £  RL(x)  A  G™' m*'XR  =>  G™'fi'X~eR). 

2In  fact,  it  would  result  in  a  notion  called  strict  polynomial -time  zero  knowledge  [Goldreich  2001], 
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In  Definition  3,  we  allow  the  meaning  of  e  to  depend  on  the  verifier’s  protocol  V*  since,  intuitively, 
different  verifier  protocols  may  result  in  different  amounts  of  knowledge  being  leaked.  If  we  had  not 
allowed  e  to  depend  on  the  verifier  protocol  V*,  we  would  need  a  single  negligible  function  that  bounded 
the  “leakage”  of  information  for  all  verifiers  in  Vpp .  We  cannot  prove  that  such  a  function  exists  with 
the  traditional  definition  of  zero  knowledge.  Similarly,  we  must  allow  M'  to  depend  on  the  verifier’s 
protocol,  even  if  M  does  not.  Intuitively,  M'  must  be  able  to  do  at  time  0  what  M  can  do  at  time 
m* ,  so  it  must  know  something  about  what  happened  between  times  0  and  m* .  The  verifier’s  protocol 
serves  to  provide  this  information,  since  for  each  verifier  protocol  V* ,  the  definition  of  zero  knowledge 
ensures  the  existence  of  a  simulator  ,S'y-«  that  can  be  used  to  mimic  the  interaction  before  time  m*.  The 
relation-hiding  property  captures  the  requirement  that  if  the  verifier  can  eventually  generate  an  arbitrary 
R,  he  can  do  so  almost  as  well  (i.e.  with  negligibly  lower  probability  of  correctness)  initially.  We  now 
use  this  property  to  characterize  zero  knowledge. 

Theorem  1  The  interactive  proof  system  ( P ,  V)  for  L  is  computational  zero  knowledge  iff  the  system 
P  X  Vpp  is  relation  hiding  for  L. 

Theorem  1  says  that  if  (P.  V)  is  a  computational  zero-knowledge  proof  system,  then  for  any  PPT 
verifier  and  relation  R,  if  the  verifier  can  eventually  generate  a  witness  for  R,  he  can  do  so  almost  as  well 
initially.  Note  that  in  this  characterization  of  zero  knowledge,  the  prover  does  not  need  to  know  the  veri¬ 
fier’s  protocol  to  know  that  the  statement  holds.  An  intuition  for  the  proof  of  Theorem  1  follows:  the  de¬ 
tails  (as  well  as  all  other  proofs)  can  be  found  at  www.cs.cornell.edu/home/halpern/papers/tark09a.pdf. 

For  the  “if”  direction,  suppose  that  (P,  V)  is  a  computational  zero  knowledge  system.  If  V*  is 
the  verifier  protocol  in  run  r  e  P  x  Vpp,  then  there  is  a  simulator  machine  Sy*  that  produces  verifier 
views  that  no  distinguisher  D  can  distinguish  from  views  during  possible  interactions  with  the  prover, 
no  matter  what  auxiliary  input  D  has.  We  show  that  if  the  verifier  has  an  algorithm  M(V*)  that  takes 
as  input  his  view  at  a  final  point  of  the  interaction  and  generates  a  y  satisfying  the  relation  R,  then  he 
can  generate  such  a  y  before  the  interaction  by  running  the  simulating  machine  Sy*  at  the  initial  point 
to  get  a  final  view,  and  then  running  M(V*)  on  this  view  to  generate  y.  We  can  therefore  construct  the 
function  M'  using  M  and  Sy* . 

For  the  “only  if”  direction,  given  an  arbitrary  protocol  V*,  we  construct  a  relation  R  such  that 
the  verifier  has  an  algorithm  for  generating  witnesses  for  R  after  the  interaction.  Since  P  x  Vpp  is 
relation  hiding  for  L,  the  verifier  has  an  algorithm  for  generating  witnesses  for  R  at  initial  points  of 
the  interaction.  We  then  use  this  generating  machine  to  implement  a  simulator  Sy*  that  fools  any 
distinguisher. 

4  Characterizing  Variants  of  Zero  Knowledge 

We  can  use  the  ideas  of  relation  hiding  to  characterize  valiants  of  zero  knowledge.  In  this  section, 
we  show  how  to  characterize  two  well-known  valiants:  concurrent  common  knowledge  and  proofs  of 
knowledge. 

4.1  Concurrent  Zero  Knowledge 

So  far,  we  have  considered  only  single  executions  of  an  interactive  proof  system.  However,  zero- 
knowledge  proofs  arc  often  used  in  the  midst  of  other  protocols.  Moreover,  when  this  is  done,  several 


zero-knowledge  proofs  may  be  going  on  concurrently.  An  adversary  may  be  able  to  pass  messages 
between  various  invocations  of  zero-knowledge  proofs  to  gain  information.  Dwork,  Naor,  and  Sahai 
[1998]  presented  a  definition  of  concurrent  zero  knowledge  that  tries  to  capture  the  intuition  that  no  in¬ 
formation  is  leaked  even  in  the  presence  of  several  concurrent  invocations  of  a  zero-knowledge  protocol. 
They  consider  a  probabilistic  polynomial-time  verifier  that  can  talk  to  many  independent  provers  (all  us¬ 
ing  the  same  protocol)  concurrently.  The  verifier  can  interleave  messages  to  and  from  different  provers 
as  desired.  We  say  that  an  extended  verifier  protocol  is  a  protocol  for  the  verifier  where  the  verifier  can 
interact  with  arbitrarily  many  provers  concurrently,  rather  than  just  one  proven  (Since  we  arc  interested 
in  verifiers  that  run  in  polynomial  time,  for  each  extended  verifier  protocol  V  there  is  a  polynomial  qy 
such  that  the  verifier  can  interact  with  only  qy(\x\)  provers  on  input  x.  This  means  that  the  verifier’s 
view  also  contains  messages  to  and  from  at  most  qy(\x\)  provers.)  Denote  by  (P(s)  <->  V(t))(x)  the 
random  variable  that  takes  an  infinite  tuple  of  infinite  random  strings  ((pPi)ieN>  pv)  as  input  and  outputs 
an  execution  where  all  the  provers  arc  running  protocol  P  with  auxiliary  input  s  on  common  input  x 
and  the  verifier  is  running  the  extended  verifier  protocol  V  with  auxiliary  input  t  and  common  input  x, 
prover  i  has  the  infinite  string  pi  on  its  random  tape,  and  the  verifier  has  pv  on  its  random  tape. 

With  this  background,  we  can  define  a  concurrent  definition  of  zero  knowledge  in  exactly  the  same 
way  as  zero  knowledge  (Definition  2),  except  that  we  now  consider  extended  verifier  protocols;  we  omit 
the  details  here. 

We  can  model  a  concurrent  zero-knowledge  system  in  the  runs  and  systems  framework  as  follows. 
We  now  consider  systems  with  an  infinite  number  of  agents:  a  verifier  v  and  an  infinite  number  of 
provers  p\ ,  p2, . . ..  All  agents  have  common  input  rc(0)  in  run  r.  As  before,  the  provers  and  the  verifier 
have  initial  local  states.  We  will  be  interested  in  systems  where  all  the  provers  have  the  same  initial 
state  and  use  the  same  protocol.  Moreover,  this  will  be  a  protocol  where  a  prover  talks  only  to  the 
verifier,  so  the  provers  do  not  talk  to  each  other.  This  captures  the  fact  that  the  verifier  can  now  talk  to 
multiple  provers  running  the  same  protocol,  but  the  provers  themselves  cannot  interact  with  each  other 
(they  arc  independent).  Again,  the  initial  local  states  of  the  provers  and  the  verifier  all  contain  rc(0). 
Additionally,  we  assume  that  nature’s  state  at  all  times  m  includes  a  tuple  (ppi , . . . ,  prv,  pr ,  P*,  V*), 
where  prp.  is  prover  pf s  random  tape  and  prv  is  the  verifier’s  random  tape  in  run  r,  pr  is  an  additional 
tape  as  before,  P*  is  the  protocol  used  by  all  the  provers,  and  V*  is  the  verifier’s  protocol.  Note  that 
the  provers’  random  tapes  arc  all  independent  to  ensure  that  their  actions  arc  not  correlated.  Given  a  set 
V  of  prover  protocols  and  V  of  verifier  protocols,  let  V  x  V  denote  the  system  with  runs  of  this  form, 
where  the  provers’  protocol  is  in  V  and  the  verifier’s  protocol  in  V.  If  V  =  {P},  we  write  P  x  V.  We 
define  the  probability  on  V  x  V  as  before,  partitioning  the  runs  into  cells  according  to  the  protocol  used 
and  the  inputs.  Thus,  we  can  identify  the  probability  on  lZs,t,P,v  with  the  uniform  distribution  Prjy^. 

Theorem  2  The  interactive  proof  system  ( P.  V)  for  L  is  computational  concurrent  zero  knowledge  iff 
the  system  P  X  Vpp  is  relation  hiding  for  L. 

The  proof  is  almost  identical  to  that  of  Theorem  1 . 

4.2  Proofs  of  Knowledge 

Loosely  speaking,  an  interactive  proof  is  a  proof  of  knowledge  if  the  prover  not  only  convinces  the 
verifier  of  the  validity  of  some  statement,  but  also  that  it  possesses,  or  can  “feasibly  compute”,  a  witness 
for  the  statement  proved  (intuitively,  using  the  secret  information  in  its  initial  state).  For  instance,  rather 
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than  merely  convincing  the  verifier  that  a  graph  is  Hamiltonian,  the  prover  convinces  the  verifier  that 
he  knows  a  Hamiltonian  cycle  in  the  graph.  We  show  how  this  notion  can  be  formalized  using  our 
logic.  There  arc  a  number  of  ways  of  formalizing  proofs  of  knowledge;  see,  for  example,  [  Be II arc  and 
Goldreich  1992;  Feige,  Fiat,  and  Shamir  1987;  Feige  and  Shamir  1990;  Tompa  and  Woll  1987].  We 
give  here  a  definition  that  is  essentially  that  of  Feige  and  Shamir  [1990].  In  the  full  paper,  we  discuss 
modifications  that  give  the  other  valiants,  and  how  to  modify  our  characterization  to  handle  them. 

Definition  4  An  interactive  proof  system  (P.  V)for  a  language  L  with  witness  relation  11  fj  is  a  proof  of 
knowledge  if,  for  every  PPT  prover  protocol  P*,  there  exists  a  negligible  function  e  and  a  probabilistic 
Turing  machine  Ep*  that  takes  as  input  the  common  input  x  and  prover’ s  auxiliary  information  s,  runs  in 
expected  time  polynomial  in  |x|,  and  outputs  a  candidate  witness  for  x,  such  that  for  all  x,  s,  t  £  {0, 1}*, 

Pr u[{Acceptsv[(P(s)  H(/))(.x)]}]- 

Pr u[{EP*(x,s))  £  Rl{x)}]  <  e(|x|). 

Intuitively,  this  says  that  for  every  prover  P*,  if  P*  succeeds  in  convincing  the  verifier  V  that  x  is  in  L, 
then  there  is  a  “knowledge  extractor”  machine  Ep*  that  can  extract  a  witness  for  x  from  the  prover’s 
auxiliary  information.  We  can  think  of  the  extractor  as  demonstrating  that  the  prover  really  does  know 
a  witness  to  show  that  x  6  L,  given  its  auxiliary  information  s.  We  now  formalize  this  definition  of 
proofs  of  knowledge  using  our  logic.  Let  accepts  denote  the  primitive  proposition  that  holds  iff  the 
verifier  enters  an  accept  state  at  the  end  of  the  interaction. 

Definition  5  The  system  1Z  is  witness  convincing  for  the  language  L  with  witness  relation  Ri  if  there 
exist  functions  M  :  TM  — ►  < SVPT,  e  :  T AA  x  N  — ►  [0, 1]  such  that,  for  every  Turing  machine  P* , 
e(P* ,  •)  is  a  negligible  function,  and,  for  all  0  <  A  <  1, 

77  j=  at  time  0  pr^{ (/accepts)  =>  G^l,0,X~eR^j, 

where  ( s,t,x,y )  £  R^  iffy  £  RL(x). 

This  definition  says  that  there  exists  a  function  M  such  that  M(P* )  can  generate  a  y  such  that  ( s,t,x,y )  £ 

Rff  whenever  P*  makes  the  verifier  accept  in  the  system  77.  This  machine  can  be  viewed  as  a  knowledge 
extractor  for  P*,  motivating  the  following  theorem. 

Theorem  3  The  interactive  proof  system  ( P ,  V)for  L  is  a  proof  of  knowledge  iff  the  system  Vpp  x  V  is 
witness  convincing  for  L. 

To  see  why  this  should  be  true,  note  that  if  ( P.  V)  is  a  proof  of  knowledge  and  if  the  verifier  accepts  on 
input  x  when  interacting  with  P* ,  then  there  exists  a  knowledge  extractor  machine  Ep*  that  can  gener¬ 
ate  a  witness  y  £  Rl(x),  and  can  therefore  generate  a  y  such  that  (s,  t,  x,  y)  £  Rj.  For  the  converse,  as 
we  said  above,  the  machine  M(P*)  that  exists  by  the  definition  of  witness  convincing  can  be  viewed  as  a 
knowledge  extractor  for  P* .  Again,  the  details  can  be  found  at  www.cs.cornell.edu/home/halpern/papers/tark09a.pdf. 

The  major  difference  between  the  FFS  and  TW  difference  is  that,  in  the  FFS  definition,  rather  than 
allowing  a  different  machine  Ep*  for  every  prover  protocol  P* ,  FFS  require  that  there  be  a  single 
knowledge  extractor  machine  E  that  has  oracle  access  to  the  prover’s  protocol  and  a  fixed  bivariate 
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polynomial  p  such  that  the  running  time  of  E  given  a  prover  P*  with  runtime  bounded  by  a  polynomial 
q  and  input  x  is  p(q(\x\.  x \ ) .  To  capture  this  difference,  we  vary  the  definition  of  witness  convincing  to 
require  that  M(P*)  for  any  P*  return  the  same  machine  M  that  takes  (a  description  of)  P*  as  an  input 
and  has  expected  runtime  polynomial  in  the  runtime  of  P*  and  |x|. 

5  Conclusions  and  Future  Work 

HMT  formalized  the  notion  of  knowledge  security  and  showed  that  a  zero-knowledge  proof  system  for 
x  e  L  satisfies  it:  the  prover  is  guaranteed  that,  with  high  probability,  if  the  verifier  will  practically 
know  (as  defined  in  [Moses  1988])  a  fact  <p  at  the  end  of  the  proof,  he  practically  knows  x  £  L  =>  p  at 
the  start.  They  also  formalized  the  notion  of  knowing  how  to  generate  a  y  satisfying  any  relation  R(x,  y ) 
that  is  BPP-testable  by  the  verifier,  and  showed  that  zero-knowledge  proofs  also  satisfy  the  analogous 
property  of  generation  security  (with  respect  to  these  relations).  Their  work  left  open  the  question  of 
whether  either  of  these  notions  of  security  characterizes  zero  knowledge. 

We  have  provided  a  different  definition  of  what  it  means  for  a  polynomial-time  agent  to  know  how  to 
generate  a  string  y  satisfying  a  relation  R.  Using  this  definition  we  provide  a  logical  statement — called 
relation  hiding — that  fully  characterizes  when  an  interaction  is  zero  knowledge.  We  additionally  show 
that  variants  of  this  statement  (using  the  same  notion  of  knowing  how  to  generate)  characterize  variants 
of  zero  knowledge,  including  concurrent  zero  knowledge  and  proofs  of  knowledge. 

Our  notion  of  relation  hiding  considers  the  verifier’s  knowledge  at  the  beginning  of  a  run  (i.e.  at  time 
0);  it  says  that,  at  time  0,  the  verifier  cannot  know  that  he  will  be  able  to  generate  a  witness  for  a  relation 
with  higher  probability  in  the  future  than  he  currently  can.  We  would  like  to  make  the  stronger  claim 
that  the  verifier  will  never  know  that  he  can  generate  a  witness  satifying  the  relation  better  than  he  knows 
he  can  at  the  beginning  (or,  more  accurately,  will  almost  certainly  never  know  this,  since  there  is  always 
a  negligible  probability  that  he  will  learn  something).  To  do  this,  we  need  to  talk  about  the  verifier’s 
knowledge  and  belief  at  all  points  in  the  system.  Consider,  for  example,  a  verifier  trying  to  factor  a 
large  number.  We  would  like  to  allow  for  the  fact  that  the  verifier  will,  with  some  small  probability, 
get  the  correct  answer  just  by  guessing.  However,  we  want  to  be  able  to  say  that  if,  after  interacting 
with  the  prover,  the  verifier  believes  that  he  can  guess  the  factors  with  non-negligible  probability  then, 
except  with  very  small  probability,  he  already  believed  that  he  could  guess  the  factors  with  almost  the 
same  probability  before  the  interaction.  Making  this  precise  seems  to  require  some  axioms  about  how 
a  computationally-bounded  verifier’s  beliefs  evolve.  We  arc  currently  working  on  this,  using  Rantala’s 
“impossible  possible-worlds  approach”  [Rantala  1982]  to  capture  the  verifiers  computational  bounds. 
For  example,  if  the  verifier  cannot  compute  whether  a  number  n  is  prime,  he  will  consider  possible  a 
world  where  n  is  prime  and  one  where  it  is  not  (although  one  of  these  worlds  is  logically  impossible). 
Proving  analogues  of  our  theorem  in  this  setting  seems  like  an  interesting  challenge,  which  will  lead  to 
a  deeper  understanding  of  variants  of  zero  knowledge. 

A  Proofs 

A.l  Computational  Zero  Knowledge 

Theorem  1:  The  interactive  proof  system  (P.  V)  for  L  is  computational  zero  knowledge  iff  the  system 
P  X  Vpp  is  relation  h  iding  for  L. 
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Proof.  For  the  “if”  direction,  suppose  that  ( P ,  V)  is  a  computational  zero  knowledge  system  and  that 
(P  x  Vpp,r,  0)  |=  C^A  m  ,XR.  for  a  polynomial-time  relation  R  and  functions  M  :  TSA  — >  SWT 
and  A  :  T M.  x  N  — ►  [0, 1].  We  want  to  show  that  there  exist  functions  M'  :  TJA  — ■>  SWT  and 
e  :  TM.  x  N  — >  [0, 1]  such  that  (P  x  Vpp,  r,  0)  |=  G™  ,0’X~eR.  The  intuition  behind  the  proof  is  as 
follows.  If  (P,  V)  is  zero  knowledge,  and  V*  is  the  verifier  protocol  in  run  r,  then  there  is  a  simulator 
machine  Sy*  that  produces  verifier  views  that  no  distinguisher  D  can  distinguish  from  views  during 
possible  interactions  with  the  prover,  no  matter  what  auxiliary  input  I)  has.  We  show  that  if  the  verifier 
has  an  algorithm  M(V*)  that  takes  as  input  his  view  at  a  final  point  of  the  interaction  and  generates  a  y 
satisfying  the  relation  R,  then  he  can  generate  such  a  y  before  the  interaction  by  running  the  simulating 
machine  Sy*  at  the  initial  point  to  get  a  final  view,  and  then  running  M  ( V* )  on  this  view  to  generate  y. 

We  can  therefore  construct  the  function  M'  using  M  and  Sy* . 

In  more  detail,  we  want  to  show  (P  x  Vpp)  (=  at  time  0  (s  6  Rl(x)  A  G™’m  XR  =X  ,0'A  eR). 

Thus,  we  must  show  that  for  all  runs  r,  we  have  (P  x  Vpp,r,  0)  |=  (s  £  RL(x)  A  G^f'm  XR 
£,m  ,o,a -tjiy  $0  SUpp0se  that  rc(0)  £  L,  rp( 0)  £  Pr(rc(0)),  and  ({P}  x  Vpp,  r,  0)  |=  G^’m  XR.  By 
definition,  this  means  that  (P  x  Vpp,  r,  0)  |=  pr^( at  time  m*  Assume  without  loss  of  generality 

that  m*  is  greater  than  the  final  time  of  the  interaction  in  all  runs  with  input  x.  (There  is  such  an  m*, 
since  V*  runs  in  time  polynomial  in  x|.  This  assumption  is  made  without  loss  of  generality  since  we 
arc  assuming  perfect  recall,  so  anything  the  verifier  can  do  in  the  middle  of  the  interaction,  he  can  do 
at  the  end).  Construct  a  PPT  distinguisher  D  as  follows.  I)  takes  as  input  a  verifier  view  viewv  and 
extracts  the  verifier’s  initial  state  t  from  it  (since  by  perfect  recall,  the  initial  verifier  state  is  contained  in 
any  subsequent  view).  Recall  that  distinguishes  can  take  auxiliary  inputs  as  well  as  a  view.  In  this  case, 
in  run  r  we  choose  to  give  D  as  auxiliary  input  the  common  input  x  and  the  prover’s  state  s  in  r.  Given 
x  and  s  and  a  random  string  p,  D  runs  M(V*)  on  x,  viewv,  and  p,  where  V*  is  the  verifier’s  protocol  in 
run  r,  to  get  y,  and  outputs  R(s,  t,  x,  y).  So  D  with  inputs  x,  s,  and  p  accepts  the  verifier’s  view  viewv 
iff  R(s,  t,  x,  M (V*)(viewv)(p))  =  1  for  the  t  contained  in  the  verifier’s  view. 

Suppose  that  the  verifier  runs  V*  in  r.  Since  (P  x  Vpp ,  r,  0)  |=  pr^( at  time  m*  M„^),  we  have 

VTZv(r. ,  0)({(?’/,  0)  :  (PxV*,r’,  0)  |=  at  timem*  M^},  ^(0)  =  rw(0),r£(0)  =  r„(0)})  >  X(V*,  |rc(0)|). 

Recall  that  we  can  identify  V1Zv(r ,  0)  with  Pi  [/3,  so 

(PMW  G  (PxV)(r)  :  (PxFV,0)  (=  at  time  m*  M^, r(,(0)  =  r-„(0), ^(0)  =  rp( 0)})  >  A(RMrc(0)|). 

By  definition  of 

Pr u[{r'  £  (P  x  V)(r)  :  R(r'p(0),  r'v(0),  r'c (0),  M(V*)(r'c (0),  r'v(m*)))  =  1}]  >  A(RMrc(0)|). 

By  definition  of  (V  x  V)(?’), 

Pr£/[-R(jp(0), r„(0), r c(0), M(F*)(rc(0), r v(m*)))  =  1]  >  A(RMrc(0)|). 

Thus,  D  with  auxiliary  inputs  rc(0)  and  rp(0)  accepts  the  verifier’s  view  r(rn*)  with  probability  at  least 
A(V*,  |rc(0)|)  (where  the  probability  is  taken  over  the  random  choices  of  I)). 

Because  (P,  V)  is  a  computational  zero-knowledge  proof  system  for  L,  if  rc(0)  £  L  and  rp(Q)  £ 

Rl{pc{ 0)),  then  there  is  an  expected  PPT  Turing  machine  Sy*  and  a  negligible  function  e(V*)  such 
that  Sy*  on  input  rc(0),r„(0)  outputs  a  verifier  view  such  that  every  distinguisher,  and  in  particular 
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the  distinguisher  D  constructed  above,  accepts  this  view  with  probability  at  least  (A  —  e)(V*,  |rc(0)|) 
(taken  over  the  random  choices  of  D  and  Sy*),  no  matter  what  auxiliary  information  we  give  it,  and  in 
particular  given  auxiliary  inputs  rc(0)  and  rp(0).  Thus,  by  the  definition  of  D,  we  must  have 

Pr[/[-R(rp(0), r^(0), rc(0), M(F*)(rc(0), r^(m*)))  =  1]  >  A(FMrc(0)|). 

Define  M'  :  TA4  — >•  SWT  by  taking  M,(V*)(a:,  t)  =  M(V*)(x,  Sy*(x,  t)).  Note  that  this  definition 
suppresses  the  random  choices  of  M^V*),  Sy*  and  M(  V*) — we  assume  that  each  of  these  machines 
is  given  a  random  tape,  and  that  the  random  tapes  of  Sy*  and  M(V*)  are  independent,  so  that  their 
outputs  arc  not  correlated.  Since  Sy*  and  M(V*)  arc  both  expected  polynomial-time  in  |x|  and  \t\,  so 
is  M,(V'*).  Note  also  that 

R(rp(0)M0)M0)M(V*)(rc(0)M0))(pr))  =  1 


iff 


i?(rp(0),r,(0),rc(0),M(^)(rc(0),5y*(rc(0),rt,(0))(^))(/))  =  1; 


thus, 


Prtr[i2(rp(0),rt,(0),rc(0),M,(y*)(rc(0),rt,(0)))  =  1]  >  (A  -  e)(V*,  |rc(0)|). 

So  M'(y*)  runs  in  expected  polynomial  time  and  outputs  a  value  such  that 

(P  X  Vpp ,  r,  0)  |=  pr*~e( at  time  0  M'„,.r). 

This  completes  the  proof  of  the  “if”  direction. 

For  the  “only  if”  direction,  we  want  to  show  that  for  every  verifier  protocol  V*,  there  is  an  EPPT 
algorithm  Sy*  such  that  for  any  PPT  distinguisher  D  with  any  auxiliary  input,  there  exists  a  negligible 
function  e  such  that  Vx  £  L,\/s  £  Ri,{x),t,z  £  {0,1}*, 

|Pr u[{D(Sv*(x,t),z)  =  1}]  -  Pvu[{D(Viewv[(P{s )  <-►  V*(t))(x)],  z)  =  1}]|  <  e(|x|). 

The  idea  behind  the  proof  is  as  follows.  Given  an  arbitrary  protocol  V*,  we  construct  a  relation  R  such 
that  the  verifier  has  an  algorithm  for  generating  witnesses  for  R  after  the  interaction.  Since  P  x  Vpp 
is  relation  hiding  for  L,  the  verifier  has  an  algorithm  for  generating  witnesses  for  R  at  initial  points 
of  the  interaction.  We  then  use  this  generating  machine  to  implement  a  simulator  ,S'y«  that  fools  any 
distinguisher. 

Recall  that  the  set  of  possible  verifier  initial  states  is  the  set  of  all  bitstrings  {0, 1}*.  For  an  arbitrary 
PPT  distinguisher  D,  define  the  set  Pd  C  {0, 1}*  of  verifier  states  of  the  form  f  =  t':  1  P°hdM)  ■  {)■_  z-  pIh 
where  t'  £  {0, 1}*,  x  £  L,  D  is  the  description  of  the  PPT  distinguisher,  z  £  {0, 1}*,  po  €  {0, 1}*, 
and  poly(-)  is  some  polynomial.  Define  a  relation  R  by  taking  R(s,t,x,y)  =  1  iff  t  is  of  the  form 
t  =  t'\  i ]j-  z-  pD  and  the  distinguisher  D  contained  in  t  accepts  on  input  y  when  given  the 
random  string  /> />  and  auxiliary  input  2  contained  in  t  (otherwise  R(s,  t,  x,  y)  =  0). 

Define  M(V*)  to  be  the  trivial  machine  that  on  input  (rr(0), rv(rn))  outputs  the  verifier’s  view 
rv(m).  Suppose  that  there  exists  a  function  A  and  a  set  A  of  runs  such  that  for  all  r  £  A,  if  m*  is 
the  final  round  in  run  r,  then  (P  x  V'pp,r,  0)  |=  G^f''m'r'XR..  Since  P  x  Vpp  is  relation  hiding  for 
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L,  there  exists  a  function  M;  :  T M.  — ►  SWT  and  a  function  e  :  TA1  x  N  such  that  e(V*)  is 
negligible  and  for  all  r  G  A,  (P  x  Vpp,r,  0)  |=  s  6  Rl(x)  =>  '0,X~eR.  Define  Sy*  by  taking 

Sv*(x,t)(p)  =  M \V*)(x,t)(p). 

Suppose,  by  way  of  contradiction,  that  for  some  distinguisher  D  there  is  a  polynomial  p  such  that 
for  infinitely  many 

x  G  L,  s  G  Rl(x),  and  t  G  {0, 1}*,  there  is  a  z  G  {0, 1}*  such  that  there  exist  functions  Af  and  Af 
(that  may  depend  on  z)  such  that  Pi'u[{D(Sy*(x,  t),  z)  =  1}]  =  \l(x,s,t),PTjj[{D(Viewv[(P(s)  <-»• 

W(T))(x)],z)  =  1}]  =  Af(x,  s,t),  and  |A f(x,s,f)  -  Af(x,s,t)|  >  Consider  the  set  TDiSv,,  C 

To  of  verifier  states  of  the  form  t  =  f';  l9dxD;  I);  z;  pd,  where  q  is  a  polynomial  such  that  q(\x\) 
is  an  upper  bound  on  the  running  time  of  the  verifier  protocol  V*  and  the  simulator  Sy*  on  input 
x.  The  effect  of  this  choice  is  that,  given  the  verifier’s  state,  the  verifier  and  simulator  cannot  access 
the  distinguisher  description.  Therefore,  Viewv[(P(s)  V*(t))(x)(pp,  pv)\  =  Viewv[(P(s)  <-> 

V*(t'))(x)(pp,  pv)]  and  Sy*(x,t)(pv )  =  Sy*(x,t')(pv).  If  there  exists  z  G  {0, 1}*  such  that  the  dis¬ 
tinguisher  D,  given  auxiliary  input  z,  succeeds  in  distinguishing  the  distributions  {Viewv[(P(s)  <-» 

V*(t'))(x)}  and  {Sy*(x,t')},  then  D  can  distinguish  {Viewv[(P(s)  <-»  V*(i))(x)}  and  {Sy*(x,t)} 
given  z.  By  construction  of  Td  sv,  ,  for  infinitely  many  x  <G  L,  s  G  Rl{x )  and  t  G  Td,sv*  •  there  exist 
functions  Af  and  Af  such  that  Pr u[{D(Sy*(x,t),  z)  =  1}]  =  Af(x,  s,t).  Pi -u[{D(Viewv[(P(s)  <-> 

V"*(i))(x)],  z)  =  1}]  =  A f(x,  s,i),  and  |Af(x,s,  t)  —  Af(x,  s,t)\  >  (the  z  referenced  here  is 

contained  in  i).  Without  loss  of  generality,  we  can  assume  that  Af(x,  s,  t)  —  Af (x,s,t)  >  for 

infinitely  many  of  the  relevant  x’s,  s’ s,  and  t’s.  To  see  that  this  is  without  loss  of  generality,  note 
that  if  Af(x,  s,t)  —  Af(x,s,i)  >  for  only  a  finite  number  of  x’s,  s’s,  and  t’s,  then  it  must 

be  the  case  that  Af(x,  s,t)  —  Af(x,s,  t)  >  for  infinitely  many  x’s,  s’s,  and  t’s.  In  this  case, 
we  can  define  a  distinguisher  D'  that  outputs  the  opposite  of  what  D  outputs  when  given  the  same 
view  and  auxiliary  input.  Then  for  infinitely  many  x  G  L,  s,  and  t,  there  exists  z  G  {0, 1}*  such 
that  Pr u[{D'(Sy*(x,t),z)  =  1}]  =  Af2(x,  s,  t),  Pru[{D\Viewv[(P(s)  C*(f))(x)],  z)  =  1}]  = 

Af2(x,  s,  t),  and  A'22(x,  s,  t)  —  Af2(x,  s,  t)  >  where  Af2  =  1  —  Af  and  Af2  =  1  —  Af.  We  can  then 
proceed  with  the  rest  of  the  proof  using  the  distinguisher  D'  instead  of  D. 

Let  A  denote  the  set  of  tuples  (x,  s,  t)  (with  x  G  L,  s  G  Rr.(x),  t  G  To,sv*)  f°r  which  there  exists 
z  G  {0, 1}*  and  functions  Af ,  Af  such  that 

Pr u[{D(Sv*(x,t),z)  =  1}]  =  Af (x,s,t),  Pr u[{D(Viewv[(P(s)  <->  V*(t))(x)\,z)  =  1}]  = 

Af  (x,s,t),  and  Af  (x,s,t)  —  Af(x,  s,t)  >  ^yy.  In  the  system  P  x  Vpp,  let  A’  =  {r  G  P  x  V*  : 
(rc(0),rp(0),rv(0))  G  A}.  So  for  all  r  G  A',Pru[{D(Sy*(rc(0),rv(0)),z)  =  1}]  =  Af  (rc(0),  rp(0),  rv(0)) 

(where  z  is  contained  in  rp(0)),Pru[{D(Viewv[(P(rp(0))  «-►  F*(r,,(0)))(rc(0))],  z)  =  1}]  =  Af  (rc(0),  rp(0),  r„(0)), 
and  Af(rc(0), rp(0),  r„(0))  -  Af (rc(0), rp(0),  r„(0))  >  ^pr(o)l)- 

So  for  all  r  €  A',  if  rn*  is  the  final  round  in  run  r,  then  by  definition  of  R,  M,  and  M', 

Prc/[T(rp(0),  r^(0),  rc(0),  M(F*)(rc(0),  r„(m*)))]  =  Af  (rc(0),  rp(0),  r„(0)), 

Prc[i2(rp(0),  r„(0),  rc(0),  M'(F*)(rc(0),  r„(0)))]  =  Af  (rc(0),  rp(0),  r„(0)), 

and 

^2W0),rp(0),r,,(0))  -  Af(rc(0),rp(0),r„(0))  >  ■ 
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So  for  any  negligible  function  e(V*), 

Prcr[-R(fp(0),  r„(0),  rc(0),  M,(F*)(rc(0),  r^(0)))]  <  A|(rc(0),  rp(0),  r„(0))  -  e(K*)(|x|) 

for  all  but  finitely  many  x.  By  definition  of  pr for  all  r  6  A' , 

( P  X  Vpp,  r,  0)  |=  prv2( at  time  m*  )M„i# 
and 

( P  x  Vpp,  r,  0)  ^  pr^,2  e(at  time  0  )M'Vjr 

for  any  negligible  function  e(V*).  Also,  by  definition  of  A' ,  ( P  x  Vpp ,  r,  0)  |=  s  E  RL(x),  so 

(P  X  Vpp,  r,  0)  |=  s  G  Rl(x)  A 

and 

(P  x  Vpp,  r,  0)  ^  G™''0,X2~eR 

for  any  function  e  :  TM  x  N  — »  [0, 1]  such  that  e(V*)  is  negligible.  This  gives  us  a  contradiction.  ■ 

A.2  Concurrent  Zero  Knowledge 

Theorem  2:  The  interactive  proof  system  (P,  V)for  L  is  computational  concurrent  zero  knowledge  iff 
the  system  P  X  Vpp  is  relation  hiding  for  L. 

Proof.  For  the  “if”  direction,  suppose  that  (P,  V)  is  a  computational  concurrent  zero  knowledge  system 
and  that  (P  x  Vpp.  r,  0)  |=  C'^1™  ~XR  for  some  arbitrary  polynomial-time  relation  R  and  some  functions 
M  :  TM  — >•  £VVT,  A  :  PM.  X  N  — ►  [0, 1],  We  want  to  show  that  there  exist  functions  M'  :  TM  — > 
8VVT ,  e  :  TM  x  N  — >  [0, 1]  such  that  (P  x  Vpp,  r,  0)  |=  GT'°'x~eR. 

Let  V*  be  the  extended  verifier  protocol  in  run  r  <G  P  x  Vpp,  let  x  be  the  common  input,  and 
let  qy*(\x\)  be  an  upper  bound  on  the  runtime  of  V*  on  common  input  x.  Recall  that  the  verifier’s 
local  state  at  time  m  >  0  consists  of  the  time  on  the  global  clock,  his  initial  information  r„(0)  (which 
contains  the  common  input  rc(0)),  the  history  of  messages  he  has  received  from  other  agents  and  read, 
and  the  history  of  coin  flips  he  has  used.  Since  the  verifier’s  running  time  is  bounded  by  qv*(\fc{0)  |)> 
no  matter  how  many  messages  he  receives  in  round  m,  he  can  read  at  most  q\/~ (\rc(0)\)  of  them.  So 
his  local  state  (and  his  view)  at  any  time  m  >  0  can  contain  at  most  (JV*(|rc(0)|)  messages,  coming 
from  at  most  f/vr*(|A:(0)|)  provers  (indexed  without  loss  of  generality  by  1,  2, ... ,  q\/-  {\rr{{))\)).  So  for 
every  run  r  in  P  x  Vpp,  the  verifier  interacts  with  a  subset  of  pi,P2,  ■  ■  ■  ,Pqv*(\rc(o)\)-  By  lhe  definition 
of  concurrent  zero  knowledge,  there  is  a  simulator  machine  Sy*  such  that  Sy*  produces  verifier  views 
that  are  indistinguishable  by  any  distinguisher  (with  any  auxiliary  input)  from  views  during  possible 
interactions  of  V*  with  up  to  qy*(\x\)  instances  of  P  on  common  input  x | .  The  proof  that  P  x  Vpp  is 
relation  hiding  now  proceeds  exactly  as  in  Theorem  1 . 

For  the  “only  if”  direction,  we  want  to  show  that  for  every  verifier  protocol  V*,  there  is  an  EPPT 
algorithm  Sy *  such  that  for  any  PPT  distinguisher  D  with  any  auxiliary  input,  there  exists  a  negligible 
function  e  such  thatV.x  G  L,\/s  6  Rl(x),1,z  G  {0,1}*, 

|Pr u[{D(Sv*(x,t),z)  =  1}]  -  Pr u[{D(Viewv[(P(s)  <-►  V*(t))(x)],  z)  =  1}]|  <  e(|x|). 

This  proof  proceeds  exactly  as  in  Theorem  1,  so  we  omit  further  details  here.  ■ 
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A.3  Proofs  of  Knowledge 

Theorem  3:  The  interactive  proof  system  (P.  V)  is  a  proof  of  knowledge  knowledge  iff  the  system 
' Ppp  X  V  is  witness  convincing  for  L. 

Proof.  For  the  “if’  direction  of  the  proof,  suppose  that  (. P ,  V)  is  an  interactive  proof  system  for  L  that 
is  a  proof  of  knowledge.  It  is  sufficient  to  show  that  the  system  P*  x  V  is  witness  convincing  for  L  for 
every  prover  protocol  P*.  By  the  definition  of  proofs  of  knowledge,  for  every  prover  protocol  P*,  there 
is  a  negligible  function  ep*  and  a  probabilistic  Turing  machine  Ep*  that  takes  as  input  the  common 
input  x  and  prover’s  auxiliary  information  s,  runs  in  expected  time  polynomial  in  |x|,  and  outputs  a 
candidate  witness  for  x  such  that  for  all  x,s,t  G  {0, 1}*, 

Pru[{Acceptsv[(P* (s)  r-r  V"(f))(x)]}]  -  Piu[{EP*  (x,  s))  G  Rl(x)}\  <  ep*(M). 


Thus, 

Pr u[{Acceptsv[(P* (s)  ^  P(t))(a;)]}]  -  Pr u[{(s,t,x,EP*(x,s))  G  R^}]  <  ep.(|x|),  (1) 

where  the  first  probability  Pi  p  is  taken  over  the  random  choices  made  by  the  prover  and  verifier  proto¬ 
cols,  while  the  second  is  taken  over  the  random  choices  of  Ep*. 

Define  M  :  TM  — ►  SWT  and  e  :  TM  xN  — ►  [0, 1]  by  taking  M(P*)  =  Ep*  and  e(P*,  ■)  =  ep*. 
Suppose  that  there  exists  some  0  <  A  <  1  and  some  run  r  such  that  (P*  x  {I/},  r,  0)  |=  prp(<>accepts). 
Recall  that  Pr^p*xv)(r)  can  be  identified  with  the  uniform  distribution  Prp3  over  triples  of  random 
strings.  So  Px  p[{  Accept  sv[{P*{rp{ff))  <-»  F(r„(0)))(rc(0))]}]  >  A.  By  (1),  we  have 

Pxu[{(rp(0),rv(0),rc(0),EP*(rc(0),rp(0)))  G  P+}]  >  A  -  e(P*,  |rc(0)|). 

Moreover,  we  have  (P*  x  V,  r,  0)  |=  Kp{prp~e{ at  time  0  Mp  p)),  and  so  (P*  x  V,  r,  0)  |=  G^I,0’A_eP. 

This  completes  the  “if’  direction  of  the  proof. 

For  the  “only  if’  direction,  let  (P,  V)  be  an  interactive  proof  system  for  L  such  that  the  system 
Vpp  x  V  is  witness  convincing  for  L.  Thus,  there  exist  functions  M  :  TA4  — >  SWT  and  e  : 
TM  x  N  — >  [0, 1]  such  that  for  every  PPT  P*  G  'Ppp,  e(P*,  •)  is  a  negligible  function,  and  for  every 
0  <  A  <  1, 

Vpp  X  V  \=  at  time  0  prp( Oaccepts)  =>•  G^,0,X~eR^.  (2) 

Let  Ep*  =  M(P*)  for  every  P*  G  Vvp.  Given  a  prover  protocol  P*,  define  A p*  so  that  for 
all  x,s,t  G  {0, 1}*,  Pru[{Acceptsv[(P* (s)  <->•  P(t))(a:)]}]  =  A p*(x,s,t).  Since  the  probability 
distribution  Prppp  x  y(r)  on  Vpp  x  {P}(r)  can  be  identified  with  Prp3,  it  follows  that 

( Vpp  x  {R},r,  0)  |=  prA(Oaccepts) 

for  all  r  G  P*  x  V.  By  (2),  for  all  r  G  P*  x  V,  we  have 

(Vpp  x  {R},r,0)  |=  G™’ '0’X~eR+; 

that  is,  (' Vpp  x  V,r,  0)  |=  Kp{pr^~e{ at  time  0  Mp  R+)).  We  can  view  (s,  t,  x,  M(P*)(x,  s))  G  R^f 

as  a  random  variable  (the  probability  that  it  is  1  is  just  the  probability  that  M(P* )  (x,  s )  returns  a  y  such 
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that  (x,  y)  G  Rl,  taken  over  the  random  choices  of  M(P*).  Since  M(P*)  =  Ep*,  we  have  that,  for  all 

x,  s,t  G  {0, 1}*, 

Piu[{{s,t,x,M(P*)(x,s))  G  i?^}]  >  A P*(x,s,t)  -  e(P*,  |x|). 

That  is, 

Pru[{Acceptsv[(P* (s)  U(f))(x)]}]  -  Pr u[{EP*(x,s))  G  7?l(x)}]  <  e(P*,|x|) 

for  all  x,  s,  t  G  {0, 1}* .  It  follows  that  (P,  V)  is  a  proof  of  knowledge.  ■ 
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